This release includes the following changes:
o libssh2_session_set_last_error: Add function
o mac: Add support for HMAC-SHA-256 and HMAC-SHA-512
o WinCNG: support for SHA256/512 HMAC
o kex: Added diffie-hellman-group-exchange-sha256 support
o OS/400 crypto library QC3 support
This release includes the following security advisory:
o diffie_hellman_sha256: convert bytes to bits
CVE-2016-0787: http://www.libssh2.org/adv_20160223.html
This release includes the following bugfixes:
o SFTP: Increase speed and datasize in SFTP read
o openssl: make libssh2_sha1 return error code
o openssl: fix memleak in _libssh2_dsa_sha1_verify()
o cmake: include CMake files in the release tarballs
o Fix builds with Visual Studio 2015
o hostkey.c: Fix compiling error when OPENSSL_NO_MD5 is defined
o GNUmakefile: add support for LIBSSH2_LDFLAG_EXTRAS
o GNUmakefile: add -m64 CFLAGS when targeting mingw64
o kex: free server host key before allocating it (again)
o SCP: add libssh2_scp_recv2 to support large (> 2GB) files on windows
o channel: Detect bad usage of libssh2_channel_process_startup
o userauth: Fix off by one error when reading public key file
o kex: removed dupe entry from libssh2_kex_methods
o _libssh2_error: Support allocating the error message
o hostkey: fix invalid memory access if libssh2_dsa_new fails
o hostkey: align code path of ssh_rsa_init to ssh_dss_init
o libssh2.pc.in: fix the output of pkg-config --libs
o wincng: fixed possible memory leak in _libssh2_wincng_hash
o wincng: fixed _libssh2_wincng_hash_final return value
o add OpenSSL 1.1.0-pre2 compatibility
o agent_disconnect_unix: unset the agent fd after closing it
o sftp: stop reading when buffer is full
o sftp: Send at least one read request before reading
o sftp: Don't return EAGAIN if data was written to buffer
o sftp: Check read packet file offset
o configure: build "silent" if possible
o openssl: add OpenSSL 1.1.0-pre3-dev compatibility
o GNUmakefile: list system libs after user libs
By default all plugins from pkgs.gimpPlugins set are enabled.
Default location of plugins changed from $out/${gimp.name} to
$out/lib/gimp/${majorVersion}. Resulting derivation for gimp+plugins
is set as search path for plugins by default (additional tweaking in
gimprc done for old plugin scheme should be removed)
From the debian security mailing list:
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2016-1622
It was discovered that a maliciously crafted extension could bypass
the Same Origin Policy.
CVE-2016-1623
Mariusz Mlynski discovered a way to bypass the Same Origin Policy.
CVE-2016-1624
lukezli discovered a buffer overflow issue in the Brotli library.
CVE-2016-1625
Jann Horn discovered a way to cause the Chrome Instant feature to
navigate to unintended destinations.
CVE-2016-1626
An out-of-bounds read issue was discovered in the openjpeg library.
CVE-2016-1627
It was discovered that the Developer Tools did not validate URLs.
CVE-2016-1628
An out-of-bounds read issue was discovered in the pdfium library.
CVE-2016-1629
A way to bypass the Same Origin Policy was discovered in Blink/WebKit,
along with a way to escape the chromium sandbox.
